Authentic8 Blog Category: Security

2019 in Review: Data Breach Statistics and Trends

What were the most significant data breaches in 2019? Will ransomware still be a threat in 2020? (Spoiler alert: It’s forecast to be worse than ever.) Which industries were attacked most?

*

We have put together a shortlist of overview articles, surveys, and posts worth returning to for use as a quick reference to consult in 2020.

2019 Data Breach Hall of Shame

Cnet’s Rae Hodge revisits the biggest data breaches of the past year, and she has two words for readers: “unsecured database.” Two years after we posted this, security researchers report more unintentional leakage than ever in 2019.

According to Risk Based Security, (reported) breaches were up 33% over 2018, with a total of 7.9 billion exposed records. As early as in November, the research firm labeled 2019 the "worst year on record."

Illustration: 2019 in Review: Data Breach Statistics and Trends (Authentic8 Blog)

ABA Tech Report 2019: Cybersecurity

The American Bar Association conducts an annual Legal Technology Survey, which culminates in a report on attorney’s use of

2019 - the Year of Fake Security

Record data breaches and a new survey published in December indicate that cybersecurity snake oil peddlers had a ball last year. Their customers, not so much.

*

Remember Francis ("Frankie") Archibald Keyes, Esquire from RSA 2018 and 2019? According to survey results from last year's RSA Conference in San Francisco, the fictitious cybersecurity figure enjoyed significantly higher trust among IT professionals than most real-life vendors or experts.

Of those surveyed in our Cybersecurity Approval Poll at RSA, a total of 88% stated that they trusted Mr. Keyes "much more," "slightly more" or "about the same" as "other cybersecurity vendors and experts."

Frankie was completely made up by Authentic8, and for a short while, his meteoric rise to notoriety had our sales team worried. Would he become more famous than Silo, our pioneering Silo cloud browser and web isolation platform?


Francis ("Frankie") Archibald Keyes, the face of Fake Security in 2019

Those fears were put to rest quickly (sorry, Frankie). At the same time,

JavaScript: How NPM Maintainer Accounts Amplify Risk

20 compromised JavaScript package “maintainer” accounts - that’s all it takes to bring down the global digital supply chain through malicious code executed in the browser.

*

Attackers need to target only 20 specific maintainer accounts to reach more than half of the entire JavaScript npm ecosystem, security researchers warn. With regular browsers on the receiving end, ready to indiscriminately execute code from affected web pages, this can trigger a disastrous chain reaction.

More than 800,000 free and reusable software packages are available through the npm (“node package manager”) software package registry. Should an attacker breach one of these at-risk accounts, it could bring down the digital supply chain worldwide, the findings of the Technical University of Darmstadt (TU Darmstadt) in Germany indicate.

In their report for Usenix, Small World with High Risks: A Study of Security Threats in the npm Ecosystem, Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel shine a light on the widespread use of npm packages

Ideas That Become Obvious In Hindsight

Interview: Authentic8 Co-founder and CEO Scott Petry on Leo Laporte's TWiT.tv

Were you excited when Apple presented the Newton mobile device to the world, a glimpse into a future starring the iPhone? Or perhaps relieved when the email Spam Wars were won by Postini, a Silicon Valley startup later bought by Google, where it became the core of Gmail?

The ideas and concepts that drove both breakthrough innovations initially faced ridicule (in the case of Newton) and skepticism. What they have in common is that today, they are obvious in hindsight.

What they also share is a name: Scott Petry. His career took him from Apple's Newton team to founding and later selling Postini - which solved the email spam problem - to Google and from there to his current role as Co-founder and CEO of Authentic8, which pioneered remote browser isolation in the cloud.

Do we have a theme here? Leo Laporte thinks so. The award-winning tech journalist and founder

How to Detect Browser Extensions

Working on new methods and tools to identify browser exploits, I recently came across a common question again in a forum: "Is it possible to detect what browser extensions I have installed?"

That information would be of value to various people for several reasons. Online attackers and snoops stand to gain most from it. Examples:

  • Browser extension details can help fingerprint the client from others, as in: "This client uses a Google Translate browser extension. This other client does not."
  • Plugin information can also aid in targeted client exploitation, as in: "This this client has version 2.0.6 of the [bleep] password manager installed, with working exploits A, B, and C."
  • Addon identification can also be leveraged to hijack the local browser, as in: "This developer's Gmail account has been pwned; let's use it to push a malicious update."


Sounds far-fetched? I wish it were. Check out our blog posts with real-life examples: JavaScript Template Attacks, Password Manager Extension Exploit, and